Should websites be legally required to be transparent about how they store their user data? I think it could improve the rather lapse security some sites are still using nowadays, and force them to rethink by getting complaints from users in the know.

leke wrote:Should websites be legally required to be transparent about how they store their user data? I think it could improve the rather lapse security some sites are still using nowadays, and force them to rethink by getting complaints from users in the know.

No. That's like a bank publishing where in the basement it keeps its strong boxes. It's an open invitation to thieves.

Privacy laws already require Tesco to keep your user data safe. If you think they are breaking the law, take it up with your MP - or, if you have evidence, take it to a solicitor who can advise you how to proceed without getting arrested for data theft.

Security through obscurity may be mostly bad for your software, but it is mostly good for your data.

"Klinger, do you know how many zoots were killed to make that one suit?" — BJ Hunnicutt, 4077 M*A*S*H

Security through obscurity is never good, but the question was about how the data is stored, not where.

"Keep the algorithm open and the key secret". If data is stored using a proprietary system, how are we supposed to know it is secure? Not that forcing sites to publicise details of the strength of their security would do any good. All it would do is result in a pissing contest over how many more bits of security a site uses than its competitors. It would become a tool for marketing to the ignorant rather than a genuine statement of the relevant facts.

"Insanity: doing the same thing over and over again and expecting different results." (Albert Einstein)

leke wrote:Should websites be legally required to be transparent about how they store their user data?

I may be a little cynical, but as far as I am concerned, how they store data is irrelevant. What is important is what information they store. The safest operating procedure is to assume that every site one visits stores users' details, either for their own purposes or to sell it to advertisers. The best way to be safe is to be very careful to whom one gives any information. They get my IP address when I visit, but if they want anything else, not just anyone gets it.

One also needs to be careful about what activities one conducts on-line. As one example, I never have, and never shall, use on-line banking. I do not care how good a bank claims their security is. Banking and purchasing transactions require broadcasting sensitive information. The bank or store one is buying from and you, are not the only eyes on the internet.

In short; security is our responsibility. Use a little common sense, trust no one and always remember that there are no secrets when data is transmitted (broadcasted) over the net.

My bank issues us with a card containing key => values, so when we try to pay a bill we have to enter one from our issued card. It seems the system was recently open to trickery though. It looks like something was changing the account number on the bill upon submission. The guy didn't check the payee's account number on the returning SMS (SMS is only issued when suspicion arises) and sent his money to another account.

But you are missing all the fun! 1 bank I use I have two passwords, and if I want to to move money to anyone else I get a fancy call from an automated voice which is all very exciting, and then I get texts and emails saying are you sure, then another bank I have 3 passwords and a weird calculator thing. Its all great fun and if you are a poor student like me you don't have much money for anyone to steal anyway!

And then I can tweet them when it all goes wrong*

* Thus revealing who I bank with to the world, in hopes that the spammers pick this up and send me phishing emails from the correct bank

For certain you have to be lost to find the places that can't be found. Elseways, everyone would know where it was

leke wrote:Should websites be legally required to be transparent about how they store their user data?

I may be a little cynical, but as far as I am concerned, how they store data is irrelevant. What is important is what information they store.

No, Leke asked how they store it. What they store may (or may not) be more important, but that is a different question. There are things that you may have asked them to store such as your bank card details because you deal with them regularly. Maybe you don't yourself, but some of us do.

Debian Acolyte wrote:I never have, and never shall, use on-line banking. I do not care how good a bank claims their security is. Banking and purchasing transactions require broadcasting sensitive information. The bank or store one is buying from and you, are not the only eyes on the internet.

Without knowing much about it I'm guessing that the bank's customer database is accessible from the internet anyway, even if your particular account is not flagged as activated for such use. They are hardly going to split their customer database into two parts just because some use Internet banking and some do not. So your not using it may not such a good barrier as you thought it was.

Are there actually any cases of hackers getting into someone's bank account other than the owner being careless with their passwords or card details, or them being stolen?

Anyway, I do not think banks are much of a problem - they would fall over themselves to restore things as they would not want a public panic. Small merchants are a bigger threat - you know, the ones who see your credit or debit card every time you buy something.

Unsolved mysteries of the Universe, No 13 :-
How many remakes of Anna Karenina does the World need?

Another point is that I have bank accounts with more than one bank, and one account I run purely for potentially dodgy deals, such as buying things over the Internet. I do not keep much in it, have a deliberately low overdraft limit, and my income is not paid into it. Moreover, it would not inconvenience me to pick up the phone and shut it down if I had to.

So if an on-line merchant rooks me over it, then, like bobthebob1234 the poor student earlier here, I would not lose much even if the Bank stone-walled over it.

PS It is with First Direct. I only opened it because they said they would pay me £50 if I did. Having opened it they also then sent me a crate of wine "in gratitude". I think they blundered into giving me two promotional gifts Best business I ever did. Funny, they have this "Go ahead" image but they were one of the last banks to offer Internet Banking.

TSB (now Lloyds TSB) were much earlier and I was told I was TSB's first on-line customer in SW England. It went through a special Windows app which I ran under OS/2. I was also told I was their only ever OS/2 customer (that they knew of anyway).

Unsolved mysteries of the Universe, No 13 :-
How many remakes of Anna Karenina does the World need?

how do you work that out? A great big locked door is not obscure, a small door with a poor lock hidden behind a curtain is the physical equivalent of security through obscurity.

The point of that quote, which a first heard from a cryptography professional, is that it is important for all affected to know that the method of securing the data really is secure. Millions of people know how PGP works, but not one of them has cracked it when used with a secure key.

"Insanity: doing the same thing over and over again and expecting different results." (Albert Einstein)

So let's take a real life example. If Linkedin would have had a security page that published that user passwords where stored as unsalted MD5 hashes, do you think they would have become an obvious target for hackers (before they where hacked and the hashes obtained), or would you say they would be bothered by their community to use a more secure system to secure password contents before the hack happened?

I think there is enough of a time-frame were the users can force a web-company make a change before hackers can obtain the hashes.

I'd say that if they had to publish the information, they would never have used such an insecure method. Especially on a site with a large number of technically aware members. The hackers are going to find out anyway, the only people they are hiding the information from are the honest users who trust the organisation to do things properly, even when they do not.

"Insanity: doing the same thing over and over again and expecting different results." (Albert Einstein)